Karaf
This hub aggregates every CVE we track for Karaf, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
14
CVEs tracked
2
Critical
6
High
0
In CISA KEV
Severity distribution
HIGH6MEDIUM6CRITICAL2
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2024-082026-07
Latest CVEs
The 14 most recently published vulnerabilities affecting Karaf.
- CVE-2022-40145Apache Karaf: JDBC JAAS LDAP injection9.8
- CVE-2022-22932Path traversal flaws5.3
- CVE-2021-41766Insecure Java Deserialization in Apache Karaf8.1
- CVE-2020-28052An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect p...8.1
- CVE-2020-11980In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability ther...6.3
- CVE-2019-0226Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process...4.9
- CVE-2019-0191Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo...6.5
- CVE-2018-11788Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class....9.8
- CVE-2018-11786In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/wri...8.8
- CVE-2018-11787In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of ...8.1
- CVE-2016-8648It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execut...7.2
- CVE-2016-8750Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attack...6.5
- CVE-2017-1000406OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).7.5
- CVE-2014-0219Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high po...5.5
Product normalization is registry-driven with AI assist and human review. How it works